Why does Sendgrid require two domain keys?

Key findings

• Security Enhancement: The primary reason for multiple DKIM keys is to facilitate regular key rotation, which is a fundamental security practice.
• Risk Mitigation: By periodically changing the DKIM keys, the window of vulnerability in case of a private key breach is significantly reduced.
• Seamless Transition: Two keys allow ESPs to update one key while the other remains active, ensuring uninterrupted email signing and authentication during the rotation process. This concept is similar to how CNAME delegation enables SPF and DKIM authentication for email sending.
• Industry Standard: Major ESPs and email security experts recommend or implement key rotation as a best practice for strong email authentication.

Key considerations

• DNS Management: Users must correctly configure multiple CNAME records in their DNS to point to the ESP's key servers. This process is detailed in SendGrid's own documentation.
• Authentication Integrity: Improper configuration of DKIM records can lead to authentication failures, impacting email deliverability.
• Complexity vs. Security: While setting up multiple keys adds a layer of complexity, the security benefits of regular key rotation far outweigh the initial setup effort. This is crucial for maintaining a strong sender reputation and avoiding blocklists.
• Multiple ESPs: For domains sending through multiple ESPs, it's essential to understand how to set up email authentication for each to avoid conflicts and ensure proper authentication.

Key opinions

• Initial Confusion: Many marketers initially find the need for two DKIM keys puzzling, assuming one should suffice for domain authentication.
• Authentication Process: Marketers frequently confirm that selecting Advanced Settings during SendGrid domain authentication often reveals the option to choose a custom DKIM selector, which is necessary for setting up the required records.
• DNS Record Management: The process involves adding specific CNAME or TXT records to their DNS, which can sometimes be a source of errors if not done precisely.
• Deliverability Impact: Correctly configured DKIM is understood to be vital for email deliverability and ensuring messages don't land in spam folders.

Key considerations

• Troubleshooting: Domain authentication issues often stem from incorrect DNS entries or delays in DNS propagation, requiring careful troubleshooting.
• Subdomain Use: Marketers frequently use subdomains for email sending, which may require separate authentication setups, similar to the broader discussion on what DNS records are needed for email sending subdomains.
• Platform Compatibility: Some website builders or DNS providers have specific nuances that can affect how DKIM records are added or recognized, leading to authentication challenges.
• Key Bit Length: Concerns can arise regarding the bit length of DKIM keys, as some systems might require longer keys (e.g., 2048-bit) than what an ESP provides, which can impact specific client requirements. A discussion on this can be found on Spiceworks Community.

Key opinions

• Mandatory Key Rotation: Experts confirm that the two keys (typically CNAMEs) are essential for facilitating continuous key rotation, a practice that's crucial for robust security.
• Security Imperative: Any ESP not implementing key rotation, or an equivalent security measure like NS delegation, may not fully grasp the severe security implications of static keys.
• Minimizing Risk: Regular key rotation drastically shortens the window during which a compromised private key could be exploited to forge DKIM signatures, protecting against unauthorized email sending.
• Engineering Complexity: Implementing a system like SendGrid's, with per-domain separate keys and rotation, is significantly more complex from an engineering standpoint, but it offers superior security compared to a single, shared key model. Despite the complexity possibly leading to other issues, it is generally preferred.

Key considerations

• Forged Signatures: Without proper key rotation, a single breach (e.g., old backup tapes, open cloud storage, insider threat) could enable attackers to forge DKIM signatures indefinitely.
• Standard Practice: Using multiple DKIM records and selectors is considered a best practice for smooth key updates and robust email authentication, aligning with modern security standards.
• Aligning with DMARC: Robust DKIM setup is critical for DMARC (Domain-based Message Authentication, Reporting, and Conformance) alignment, which helps prevent phishing and spoofing. Understanding the relationship between DMARC, SPF, and DKIM is key.
• Selector Management: ESPs often use specific DKIM selectors (like s1, s2) to manage different keys. Familiarity with common DKIM selector names can aid setup and troubleshooting.

Key findings

• Custom DKIM Selector: Documentation confirms that configuring domain authentication in platforms like SendGrid often requires the use of a custom DKIM selector to enable the necessary DNS records.
• Multiple Records for Verification: ESPs generally require multiple DNS records, including DKIM, for full domain ownership verification and to enable sending from that domain, as highlighted by Gravity SMTP Documentation.
• Key Update Facilitation: Having multiple DKIM records (e.g., s1 and s2) simplifies the process of updating keys smoothly, allowing a switch to new keys without service disruption, as explained by DuoCircle.
• Selector Naming Conventions: Documentation implicitly or explicitly references common DKIM selector name examples and practices for managing multiple keys effectively.

Key considerations

• DNS Propagation Times: While documentation guides setup, it's implied that users must account for DNS propagation delays when new records are added or updated, which can affect when the authentication becomes active.
• RFC Compliance: The use of multiple keys aligns with the flexibility allowed by DKIM specifications, which permit multiple selectors for a domain to manage different signing practices or keys.
• Automated Rotation: Many ESPs automate the key rotation process once the initial dual-key setup is complete, minimizing ongoing manual intervention from the user.
• Impact on Deliverability: Documentation consistently emphasizes that correct DKIM setup, including multiple keys where required, is fundamental for robust email authentication, which directly impacts deliverability and trust with receiving mail servers.